Aaron Li: 1Wallet & Social NFT
🍠

Aaron Li: 1Wallet & Social NFT

Here are Aaron's timesheet, peer bonus, deliverables and bio. He is currently at Pacific Time UTC-7, Palo Alto, CA.

Timesheet & Peer Bonus (with giv.one)

DateHoursTagsArtifactsFeedback
...
354.5
(...many weeks passed. see open dev log)
2021-07-17
1.2
Token and NFT experimentation and debugging; Client API implentation for token operation
2021-07-17
11
Research on daVinci market; Client: ERC20 grid; Token assets manager; Unified token key compute utility; In-browser IPFS retrieval analysis and benchmark; Client API initialization for token contracts and metadata, and API implementations for metadata retrieval and balance checking for token and NFT contracts; Refactor and modularization of client wallet components; Smart contract support for Override-Track capability; Smart contract optimization for universal deployability (<24K); Smart contract multi-track capability; Client side state management (reducer, saga, actions) for tracking tokens, token balances, and currently selected tokens; Direct support for well known ERC-20 tokens; Infrastructure support for tokens with custom decimal settings; Unifty bn.js dependecy; Multi-network support for token operations and views; Token operation hash and commit hash utilities, and debugging; Auto chaining and auto refresh token balance after commit-reveal flow; Support sending tokens; fix bugs related to reveal token operations; Distinguished UI for sending tokens (re-used from sending ONEs); Various bug fixes; Complete flow demo + verification;
2021-07-18
11.2
NFT Grid, support for both ERC721 and ERC1155, share same underlying token abstraction with ERC20; Support image, animation, and metadata rendering; NFT details toggle; Responsive grid; End-to-end debugging and testing for tokens; Upgrade versions and warning messages for older clients; v0.3 release; Separate view and filtering for ERC20 and NFT grids; Support sending NFT through existing transfer UI;
2021-07-20
1
OTP Input and Refocus code review + revision + bug fixes; Provide feedback; Fix missing name issue for some ERC721 tokens
2021-07-23
6.1
Address critical security vulnerabilities with commit-reveal (#47); Constant-time commit lookup (#3, #4); Implement suggested contract optimizations in Common Prefix preliminary report (immutable variables, unchecked arithmetics); Added NatSpec compliant comments in contract code; Fix an issue with incorrect key computation of tracked tokens; Unify all reveal operations into a single function with different operation types;
...
299.5
(many weeks passed, content omitted. see open dev log)
2021-09-11
2
Address user experience issues reported by Boris; Special processing for displaying Harmony Punk; Always show full address and address-tools on header section in desktop view
2021-09-11
0.5
Support for video NFT
2021-09-12
1
Scripts for listing 1wallet deployment transactions and inferring their addresses
2021-09-12
1.5
Miscellaneous fixes (HTTPS certificate, protobuf generation; context menu of onboarding QR code upon tapping); Experimentations on non-standard Google Authenticator settings; Binance withdrawal issue (#127) investigation, reproduction, discussion (9:30pm)
2021-09-12
0.5
Review of Red Packet admin tool proposal, elaboration on NFT metadata and TODO for red packet NFT, and IPFS
2021-09-13
1
More special handling on HarmonyPunk (#128)
2021-09-13
1
Resolve miscellaneous address issue (#130) Further discussion with Binance on withdrawal issue; Relayer: deploy new library contracts only when necessary; NFT: get header only when necessary;
2021-09-13
5.5
Release v0.11.1; Make Swap available to all; Limit contract call operation to respect spending limit; Remove extraneous warnings; Make swap obey spending limit; Fix bug in Wallet Graph library that causes command operations always to fail; Make commit-reveal pace faster; Hide double OTP by default; Added expert mode, which allows the user to use double OTP and freely adjust spending limit
2021-09-14
1
Fix a bug that prevents automatically transfer of tokens upon upgrade (#133)
2021-09-14
3
Red packet design and analysis of alternatives; Complete, detailed implementation and design proposal for red packet; Discussions and open questions
2021-09-14
6
Extending daily limit to spending limit and spending interval; Smart contract library: SpendingManager; Refactor wallet smart contract and upgrade constructor and getters to be more compact and informative; Analyze Harmony Java SDK and resolve Binance withdrawal issue
2021-09-15
4.5
Release v0.12.1; Make all existing components work with spending limit and newly refactored wallet smart contract interfaces (core library, relayer, api, Send, Swap, About, and various other modules)
2021-09-16
2.5
Red packet: Gift tab in wallet; Simplify onboarding messages; Make onboarding QR code intuitive for tapping; Substantially simplify onboarding messages; Added paste-from-authenticator button for mobile view;
2021-09-16
1.5
(Continued)
2021-09-17
7
(Continued) First functional red packet creation, end-to-end; Fix issue with not showing commit-reveal progress correctly whie sending tokens; Fix issues with address labels; Make several critical modules shared, exported components; Fix several library bugs (multi-call encoding, etc.)
2021-09-17
5
(Continued) and research and experiment on Android Google Authenticator issue (#136); Discussions; Refine red packet implementation, flow and debugging
2021-09-18
8
Unwrapping red packet: end-to-end, debugging, and live testing; Smart contract upgrade on nonce and operation time exposure; Various reusable frontend infrastructure component for NFT tracking, display, and management
2021-09-19
6.5
Fix Android failure to scan QR code issue; Automatically cleans up invalid or expired temporary wallets; Enable wallet to display a QR code of its address recognizable by 1wallet QR code scan and general camera scan; Intelligent camera selection for all scanning and mobile support; Enable 1wallet to scan QR code and recognize various formats and intents; Simplify prompt and process to save address for new user onboarding; Added a default, not-owned NFT so new user can experience collectibles; Review and revise haolin's work on QR code image upload; Fit and organize all new features; Various high priority miscellaneous user experience issues
2021-09-19
1.5
Fix QR code scanning error message spamming issue; Added support for scanning red packet QR code; Finalize wallet restore entirely on mobile and making video tutorial; Various discussions, debugging with online users who had issues and those reported at the offline event
2021-09-20
4
Allow advanced settings for red packet (custome message, random factor); Measures to reduce errors from claiming red packet, and show urgency; Relayer error analytics and report; Diagnosis and deep parsing of errors reported by people at offline event
2021-09-21
1
Tests, research, and analysis on various browsers and incognito modes
2021-09-22
2.5
Fix issue #147, #148 (error on restore when local double otp state is inconsistent)
2021-09-23
3
(Continued) and fix the underlying cause of the inconsistent state, ensure double otp to work properly in future versions, and add fallback compatibility / auto-fix for restoring older, inconsitent versions
2021-09-23
1
Offline event feedback review and analysis; debugging
2021-09-24
0.5
Debugging; fix a bug which may cause wallet listing screen to run into infinite loop
2021-09-27
1
Assist on #149, #150, research on #151 and 1:1 integration guidance following #149
2021-09-29
1.5
Allow integrations to make binary calls directly via hex data
2021-09-30
1
DEX and hackathon integration assistance; Fix a bug where integration calls with zero send-amount would not function;
2021-10-01
2.5
Gnosis integration debugging; Diagnose issues with Jenya arising from local inconsistent state and old wallet version as part of Gnosis integration;
2021-10-01
2.5
Safeguards and tests against using incompatible wallet versions for integrations
2021-10-01
6.5
Track and untrack tokens, NFTs; Direct integration with daVinci and customization based on its unique IPFS, API, and file formats; Mobile view
2021-10-02
3.5
(Continued); Released v0.12.4
2021-10-02
1
Fix issues that may cause inconsistent state; Diagnosis and debug with Jenya
2021-10-02
1
Gnosis integration finalization with Jenya and demo
2021-10-02
0.5
daVinci NFT purchase IPFS issue further research and adding materials for loading state
2021-10-06
0.5
Gnosis safe integration debugging on multiple environments; Analysis of causes for wallets gone missing
2021-10-06
3
Support Aegis authenticator (#151, #157); Debugging wallet gone missing and bugs in purge routine; Use simple create flow in side menu; Tolerate 30 delay of OTP code;
2021-10-07
5.5
List top 9 ERC-20 assets in wallet home screen (#158); Simplified app-call flow (#159); verify callback domain and whitelist contract and methods (#159); call data decode utility (#159); Hide temporary wallets for app connect. Test and debug Gnosis Safe integrations
2021-10-08
2
Ability to inspect old wallets; Improve wallet About screen; improve Sentry event capturing; Debug IPFS issues and improve NFT visualization robustness
2021-10-08
8
Ability to reclaim domain and tokens from old wallet, debug and testing; Sensisble layout and interactions on wallet about screen; Unify row components; Fix bug with wallet purge to prevent purging partial proofs which are still used by at least one wallet; NFT gateway and display stablity debugging; Reclaim reverse domain
2021-10-09
3
Release v13 (#160); Release notes; Simplify OTP confirmation flow; auto-verify domain in both directions; Fully functional Inspect and Reclaim features
2021-10-10
1
Fix upgrade OTP confirmation bug; Auto copy on address format switching; Mobile friendly wallet title; Auto-spawn temporary old wallets during app-call if needed; Store old wallets in state persistently; 4s retry interval; favicon; Simplified, minimal call screen
2021-10-10
3
(Continued)
2021-10-11
1
Timeless integration and 1wallet library sync
2021-10-11
3
Generalized method for contract and method verification during app call; Tools for add Harmony protocol in MetaMask and to open Harmony Safe; Issue #161
2021-10-11
1.5
Gnosis Safe code review, development tracking, security analysis, and identify potential backdoors
2021-10-11
1.5
(Continued)
2021-10-12
2
(Continued)
2021-10-12
6
Even mapping extraction scripts; Issue #161, cumulative analysis and debugging; Debugging and fix issues with using old wallets; Dev state dump tool; Remove recovery on recover screen when recovery address is not set; Fix infinite loop on connect; Fix NFT tracking on mobile; Gnosis Safe integration contract interaction debugging and tests
2021-10-12
4
Gnosis Safe SushiSwap Transaction encoder tool; Functional Gnosis Safe SushiSwap end-to-end flow; Improve Swap mobile experience; disable mobile autozoom; add paste button on mobile OTP input; fix global usage stats overflow (use abbreviation); always show address options on wallet title; Hex options on wallet address components; allow displaying and choosing old wallet address and hex addresses in app connect screen
2021-10-13
3
(Continued)
2021-10-15
0.5
General integration advice and debugging and resolving Timeless address conversion issues in Python and Swift
2021-10-16
0.5
Tools with individual URLs and guides; Investigation, analysis, and guidance for issues encountered by Harmony DAO grant recipients; Issues #165, #164; expert mode support for grant recipients
2021-10-17
2
Wallet as Safari extension (macOS 12 / iOS 15) debugging, build, research, analysis, and experiments
2021-10-17
4
Trustless bridge review; Review and feedback to security risk raised by Shshank (re: forging commit); Issue #164
2021-10-18
4
(Continued) and address issue #166
2021-10-18
1
Sync with Harmony team re: domain services and use cases
2021-10-18
1.5
Transack integration review and application (#155); Analysis, planning, and feedback to Timeless regarding fiat integration and Apple Pay
2021-10-19
0.5
Analyze and fix QR code compatibility issue (Haodi) and Google Authenticator version history
2021-10-19
1.5
Sync with Transack. Preparation on Transak integration. Plan and acquire resources needed to enable ONE / USD purcahse; Sync with Timeless on fiat integration
2021-10-19
2
Trustless bridge script code review and analysis
2021-10-20
5
Trustless bridge contract code review, analysis, feedback; Comparison with trusted bridge implementations
2021-10-20
5.5
Sync and feedback on Timeless Wallet integration technical issues; Implement fixes for issue #166 and the underlying issues (identifying post-recovery wallets, prevent infinite loop, show warnings, etc.)
2021-10-21
2.5
Re-work notifications; Commit-Reveal progress experience improvement; Mobile experience improvement. Warning for sending to custody-wallet addresses; More #116
2021-10-21
0.5
Cache global usage stats on client side; Resolve stats count issue (#162)
2021-10-22
5
Transact integration implementation, testing, bug analysis and sync; End-to-end staging and production tests
2021-10-24
4
Milestones, progress and development summaries, planning, public pages, and research on various issues (fiat, Apple Pay, library integration, NFT)
2021-10-24
3
Ethereum trustless bridge audit: code and design review (EthereumProvder, Harmony Prover, Merkle Patricia Tree inclusion and exclusion tests, alternative MPT implementation, javascript invocations and example usage, analysis on fork resistance)
2021-10-25
5
(Continued); Timeless integration and 1wallet library customizations
2021-10-25
1
Ethereum trustless bridge audit: more analysis on correctness of MPT membership test implementation in libraries
2021-10-25
4
(Continued) Merkle Mountain Range related implementations review and analysis
2021-10-25
4
(Continued) and all remaining components and libraries except ethash. Analysis on TokenLockerOnHarmony and concern over lack of MMR
2021-10-27
1
Timeless integration: analysis of onboarding issues, suggestions, tentative solutions and improvements
2021-10-27
2
Analysis, proposals, and planning for wallet renewal (#171), predictable address (#172), and 1wallet light client (#174)
2021-10-29
6
v14 WIP: core replacement logics, new reveal libraries, refacotring contracts to conform size limits, simplifying codes, testing; Timeless integration discussions on upgrade, review of alternative approaches in other projects, and discussion of various integration issues
2021-10-29
6
(Continued) Batch operation support; Relayer upgrade for contract caching, better logging for requests, backoff-retry initialization,
2021-10-30
6
Minimal wallet setup components; Extend wallet frontend infrastructure;
2021-11-01
5
Recovery expiration checks; Recovery frontend bug fixes; 1wallet DAO change; Extend frontend infrastructure, core library hash utilities
2021-11-01
3
(Continued) Extend operation implementation and testing
2021-11-02
6
(Continued) Revamp Extend infrastructure; Script utilities for event and topic hashing; Core API for retrieving old cores; Root management utility and deletion utlities; useWallet and various common components; Contract revamp to allow authentication against old cores (old authenticator roots and times); Firelayerinitialization on Ganache; Wallet expiration checks; Wallet root checks and multi-device check
2021-11-02
7
(Continued) Core library: support loading old roots; Experiments on validating new root and old root belong to same seed
2021-11-03
3
(Continued) Self-code review and address review comments; Fix bugs in new reveal mechanism on multi-core authentication and recovery authentication;
2021-11-03
2
Revamp upgrade messaging and experience
2021-11-04
2
Fiat on ramp refacotring and customized currency selector; Allow skip upgrade version and fix layout bugs
2021-11-09
2
Planning, updates, implementation proposals and analysis, and milestones (#189, #190, #191)
2021-11-09
1
(Continued)
2021-11-09
1.5
Using Harmony Safe with 1wallet: create, deposit, and swap tutorials; ETH bridge report discussion; BTC bridge initial review; Unstoppable domain initial review
2021-11-11
7.5
Predictable address, 1wallet deployment factory, (#172) research on proxy upgrade (#189); Bug fix: recovered wallet is stuck in wallet list
2021-11-12
5
(Continued)
2021-11-12
8
(Continued) and analysis on upgrade mechanism and future directions #189
2021-11-13
6.5
(Continued) and factory helper, identification hash mechanism for permanent recovery capability, ecrecover on identification hash on contract; major refactoring and structure optimization of contracts
2021-11-13
5
Recovery and Version libraries; Bolster TokenTracker library; Reduce main contract size by 40%; Improve ENS domain and subdomain libraries; Optimize WalletGraph
2021-11-13
3
Core structure enhancement; Setting up inner cores at initialization; Authentication logics against inner cores; Two levels of daily limit adjustment functionalities; Detailed description of design and variable purposes in comments; Relayer new formats for creating new wallets; More efficient commit and reveal from relayer
2021-11-14
6
(Continued)
2021-11-14
4
Core: make OTP seed dual purpose (also serves as private keys), re-work identification hash to comform with public key formats; Completely reworked relayer initialization code;
2021-11-14
5.5
(Continued) fix several issues with factory and deployer helper; fix issues with relayer deployment using factory;
2021-11-19
5
Core library: efficiently building merkle tree with inner cores; inner tree generations; interlaced sha256 hasher
2021-11-19
5
Make all core tests work again; Make new test utils for common procedures (creation, tree generation); Improve tests; Improve core libraries and fix bugs introduced by inner cores
2021-11-19
5
Make most tests use test utils; Factory tests; Make tests use factory; Add more encoder, decoder, and utils in tests
2021-11-20
4
(Continued) and fix bugs in recovery using inner cores
2021-11-20
2
Core construction utilities; refactoring tests
2021-11-20
3
Improved test flow; commit-reveal utilities for larger scale tests; inner core tests; Make tests use salted creation procedure, run deterministically, using separate creation seeds
2021-11-21
6
(Continued) fix core displacement contract bug; pass most significant inner core related tests (core displacement); add null operation parameters and update various other constants;
2021-11-21
2
Pass additional tests for post-core-replacement operations and transfers
2021-11-24
6
Spend limit tests; Various hash computation utilities in core lib; Relayer default spend limit values; Contract: categorize reveal hash compute functions
2021-11-25
7
Client: adapt to new creation flow, compute inner cores in workers, and store appropriately; Optimize inner core tree heigh; Allow relayer to be more adaptive to arguments; Experiment and reduce wallet creation duration
2021-11-28
1
Status review and updates
2021-12-01
3
1wallet presentations and summary
2021-12-01
3
1wallet short presentation
2021-12-01
1.5
(continued) presentation appendix
2021-12-02
2
(continued) talk preparation
2021-12-03
2.5
More wallet restoration methods
2021-12-03
2
Review, debug, and test address book changes (#200) and persistent store and synchronization improvements (#199) 
2021-12-04
1
(Continued)
2021-12-05
1
Review and debug an issue with swap such that estimate may be off and swap may fail for some pairs (#204)
2021-12-06
1.5
Initial review of staking dashboard code for security issues
2021-12-07
5
Fix liquidity, estimation, execution, and errror handling issues with Swap
2021-12-08
3.5
Review of Chrome Extension Wallet code for vulnerability and further review of staking dashboard
2021-12-08
3
Presentation preparation and rehearsal
2021-12-09
1
Review staking dashboard code injection issues and identify possible places of injection
2021-12-10
12
(Continued) Wallet restoration proto definition; Better restoration guide; Embed predicted address in QR code during creation; OtpSuperStack component; Core library that supports v15 core construction and computing restoration eotp; State management with cache; Component implementation for restoration by 6x6 codes and recovery file handling
2021-12-11
7
(Continued)
2021-12-12
4
State persistence final review and debugging (#199); Export feature review, debugging, and improvements (#202)
2021-12-12
2
State refactoring review and conflict resolution (#209); Further state refactoring cleanup and improvements
2021-12-13
6
(Continued) Bug fixes with core apis with respect to v15 changes; Cache creation code per network; Fix relayer parameters with respect to gas usage to accommodate higher gas consumption in v15; Fix potential errors of component rendering in case of network or wallet errors; Rewrite restoration option messaging and layouts
2021-12-17
1.5
Review and testing of state refactory part 2 (#212)
2021-12-19
8
Customizable RPC endpoints in client; env sample; Fix fallback values in new persistence state layout; Build thief hunter - tools for batch scanning websites that potentially interacts with Harmpny Chrome Extension Wallet; Config the tool and acquire initial scanning results for all validator's websites on mainnet and testnet; Analysis
2021-12-20
4
refine wallet proto; separate restorebyscan component; refine syncrecoveryfile; refine recovery pages and restore pages
2021-12-20
2
Test and fix various issues with Restore: using recovery file, local import, and some compile issues; Review QR code scanner hotfix (#223)
2021-12-21
6
InnerCore tests with snapshots; Fix bug with core construction util; innerCore retrival from contract; RPC config through env; Fix issues with wallet proto; Local export wallet with name; Fix initialization issue in OTPSuperStack; Fix focus issue with OTPStack; Fix various update and functional issues with restore-by-code, sync recovery file, and setting up new code while restoring; Recompile contracts; utilities for retrieving and processing core s ettings from blockchain
2021-12-21
2
(Continued)
2021-12-21
3
EOTPBuilder for encoding multiple OTPs; Exposure of util API in browser; Fix unsynced component data in restore-by-code and set-up-new-code flow, and exception handling; Testing and debugging the flows; Handling local layer storage after the flows
2021-12-21
3.5
Properly auto destroy workers; Auto-cleanup unused inner trees; Override versions in API calls during restore; Add ability to override versions in core libraries during commit and reveal; Debugging notifications for expected OTP, restore process, and other critical steps; Testing and debugging all restore methods
2021-12-21
1.5
Continued testing and debugging, and fixing restore issues; Fully function restore-by-code, end-to-end
2021-12-21
1.5
2021-12-22
3
Use two-word names and a simple timestamp for wallet names everywhere; Display creation QR code using timestamped wallet name; Restore explanation update; Properly handle wallet names without timestamps and use wallet names with timestamps to guide user selecting the right auth code to use
2021-12-22
9
Auto-load identificationKey from blockchain for wallet initializations; Update core API and instantly initialize all contract instances without Truffle verification; Add more debugging messages in commit-reveal flow; Add debug method in message interface; Adjust camera scan delay;fix a bug where deleteRoot is not deleting tree from storage; added cleanStorage util; Call cleanStorage on wallet list init; fixed a bug where wallets might not be initialized before purging; Use WalletCreateProgress to highlight in-progress stage for wallet creation; Improving guides for Google Authenticator export guide; Show proper wallet names for info pops; Allow workers to build inner trees and add such an option; Use identificationKeys to identify tree to use in core commmit-reveal flow; Make RestoreByScan fully functional; Store localIdentificationKey in RestoreByCodes
2021-12-23
4
(Continued) use .recovery1wallet for recovery files; Use localIdentificationKey to find the right layers to export in local export and import; use new wallet proto in import/export; uniformly use uint8array for secrets/seed; core: use backward compatible init counter value; duplicate seed arraybuffer on processOtpSeed; 
2021-12-23
2.5
Review #219, #225, #226; Resolve merge conflict; Fix wallet auto-migration; Use new wallet persistent state layout for restore; auto migrate global state; Cleanup secret-leaking debug message; 
2021-12-24
6
Review #224; terminate random worker on unload; more consistent getWallet return value format; add versioning comments for api create; contract: allow DISPLACE to occur with single core when innerCores are unavailable; move contract-code acquisition to routes; set gas limit for factories; Make Upgrade component compatible with v15; 
2021-12-24
4
(Continued)
2021-12-24
5
Review #222 (event notifications), #227 (lazy load); Restore: filter id keys for only ecdsa public keys; remove hardcoded addresses for deploy; core flow: separate out deriveEOTP and related functions for external use; relayer: log address of newly deployed lib; Fix event notification messages; 
2021-12-25
7
ZKU - dark forest assignment research, design, writeup, and validation of feasibility
2021-12-26
2
(Continued)
2021-12-27
2
Chrome Extension Wallet emergency response and forensic analysis to crosschain movement of funds; Analysis of victim profiles (W, T, R, S, A)
2021-12-27
6
Hacker transaction pattern analysis, Tornado Cash transaction review and tracing; Slowmist engagement and briefing; Staking dashboard and Chrome Extension Wallet version freezing and runtime code sampling
2021-12-27
5
Chrome Extension Wallet incident analysis and report, #1; Whitehat hacker engagement and briefing; Victim profile analysis and identification of common traits
2021-12-28
3
(Continued); More hacker transaction pattern analysis; 
2021-12-28
1
Report appendix; Response team briefing and analysis
2021-12-28
3
Chrome Extension Wallet code review: event listener usage and internal API flow
2021-12-28
1
FBI initial briefing
2021-12-28
2
Meeting with Shashank on 1wallet analysis and planning, Chrome Extension incident, and Tornado Cash tracing
2021-12-28
2
More extension code review and analysis (use of local storage and Chrome synced storage, safety of storage usage, research)
2021-12-28
2
Report editing; Aggregation of sate police reports; More code review; Internal briefing on law enforcement engagement
2021-12-29
1.5
Response team internal briefing; FBI group meeting regarding the incident and formulation of next steps
2021-12-29
1.5
Research and analysis on bruteforce difficulty and local storage encryption strength; Hacker tracing discussions
2021-12-29
2.5
Research and analysis on Chrome zero-day issues in 2021 and its role and potential impact in the hacks; Hacker wallet and transaction analysis
2021-12-29
3
Extension code review, exception handling vulnerability analysis, writeup, and internal discussions with Jenya
2021-12-29
4
User agent analysis and discussion; More code review and research on exception handling bulnerability (e.g. potential danger of stack leaking private keys); Simulation of exception under abnormal condition and using debug tools; Internal discussion and writeup
2021-12-30
2
(Continued); 
2021-12-30
3
Response team briefing; Runtime extension JS code analysis and interaction with localStorage; Internal discussions on risk and vulnerability
2021-12-30
1.5
Bridge transaction analysis and gas usage analysis; Internal discussions
2021-12-30
7.5
Staking dashboard code review and analysis; internal discussions; Common browsing history analysis tool; Report on common browsing history of victims;
2021-12-31
5
Analysis on potential DNS vulnerability on Netlify and Staking Dashboard; Internal writeup and discussions; Analysis on security of extension build process, and recommnedations; Analysis of event queue processing system in extension code; Hypothesis on potential ways of attacks; Internal discussions; Review of potential hacks
2021-12-31
2.5
Response team briefing; Validation and Aaalysis of RPC log 
2021-12-31
3
More validation and analysis on RPC log; Code review on extension active-tab handling and tab-locking mechanism; Analysis and discussion on potential issues
2021-12-31
8
Review and suggestions on incident announcement blog; Heap analysis on memory footprint of private key; Local filesystem analysis, research on extension versioning, event logging, and local filesystem footprint; Fine-grained network traffic analysis and capturing; Frontend fingerprint initial analysis; Internal discussions 
2022-01-01
4
More research and analysis on use-after-free vulnerabilities and their potential impact on extension manipulation and private key safety; More network traffic analysis
2022-01-01
3
Research and analysis on (1) Chrome flags' effects on extension security (2) tracking the existence of extension log and possible ways of using them
2022-01-01
3
Tracking unexpected movement of victim funds (J, DK) and result of suspension mechanisms; Internal discussions and analysis; Research on methods of tracking hackers
2022-01-01
3
Further analysis on local storage encryption strength and end-to-end code review; Comparison against MetaMask code and local storage encryption strength; Analysis, report, and internal discussions; Hacking transaction analysis, r,s,v signature analysis and transaction signature's relation to choice of wallets and RPC endpoints
2022-01-02
5
(Continued)
2022-01-02
3
Research and analysis on new victim's report (J); New questionaire design; Further browser history analysis and pairwise comparisons among existing victims; Internal discussions
2022-01-02
9
Victim interview (J) and post-interview analysis with detailed report; Transaction hash and signature recovery / verification and discussions on the discrepencies
2022-01-03
4
1wallet QR code parser 
2022-01-03
2
Research and analysis on npm dependencies vulnerabilities and automated tools for such analysis
2022-01-03
4.5
Responses team briefing; Briefing with Quoc and onboarding; Aggregation and labelling of victim/hacker related addresses and transactions; Discussions and investigations on npm dependencies and potential vulnerabilities; Fingerprint tracking setup and discussions
2022-01-03
5
Tracking and analyzing fingerprints in realtime; Cross-checking existing and new-found vulnerabilities with Quoc; Internal discussions; Review and feedback on hacking incident announcement blog; Investigation and analysis on post-incident interactions between victim and people with suspicious behaviors; 
2022-01-04
5
Create, configure, and deploy thiefmonitor - server-side application that continously monitor transasctions from any set of addresses, and sending structured email alerts; Fingerprint and ProtonVPN analysis
2022-01-04
2.5
Response team briefing and internal discussions; Review of Quoc's initial report on security vulnerabilities in extension wallet
2022-01-04
2
Fingerprint tracking and internal discussions and disambigution
2022-01-04
4.5
Extension wallet clickjacking and iframe embedding issue reproduction and investigation; Demonstration and further exploitations on the issue; Internal discussion; Sync with Quoc
2022-01-05
6
Further analysis and investigation into iframe embedding vulnerability; Analysis of property-getter override vulnerability and scope of impact; Security analysis using runtime (minimized), cross-compiled code; Internal discussions; Further IP tracing and fingerprint tracing
2022-01-05
2
Response team briefing; Analysis of IP tracing and linkage of attacks; Analysis of new victim profile (O), browser history, and recent transaction history; Suspect investigation; Extension wallet deprecation planning; Internal discussions
2022-01-05
2
(Continued) Suspect investigation and interview with relevant personnel; Chrome extension security expert engagement; Damage mitigation planning and briefing
2022-01-06
1
Re-evaluation of staked asset migration plan and internal discussion; 
2022-01-06
3
Response team briefing; FBI Sync; Extension code review on miscellaneous areas; Evidence gathering, preparation, and analysis on suspec;
2022-01-06
2
(Continued) Tornado cash activity tracing on latest victims; Expansion of fingerprint tracing and IP tracing; More fingerprint analysis
2022-01-06
5
Report #2 (Additional Victims, Frontend Tracing, Backend and RPC Tracing, Log Analysis, Suspect Analysis, Background, History, Interview and Evidence)
2022-01-07
4
Blacklist log analysis and discussion; IP and fingerprint tracing and analysis; Further extension code review
2022-01-07
1
1wallet design review and sync with Darren
2022-01-07
2
Response team briefing; Node leader log processing
2022-01-08
3
1wallet v15 pre-release notes
2022-01-10
0.5
Response team briefing
2022-01-10
3
Review and analysis of AnChain report; Internal discussions
2022-01-11
1
1wallet QR parser: deduplication; write secrets to separate plaintext files; fix some messages and bugs
2022-01-11
2
AnChain sync and report discussions; Response team briefing; New victim interview (MC); Internal discussions
2022-01-12
0.5
Response team briefing
2022-01-13
1
Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions
2022-01-13
0.5
(Continued) Interview with owners of large accounts at risk
2022-01-13
3.5
Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; 
2022-01-13
6.5
(Continued)
2022-01-14
2.5
AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks
2022-01-14
6
1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; 
2022-01-15
4
abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link
2022-01-15
1
better organized renew page
2022-01-15
6
fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15
2022-01-16
6
(Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; 
2022-01-16
1
Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims
2022-01-16
9
(Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; 
2022-01-17
3
(Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes;
2022-01-17
2
Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues
2022-01-17
4
Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims;
2022-01-17
0.5
SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; 
2022-01-18
1
Chrome extension wallet PR 117 review and testing; Sync with Quoc
2022-01-18
1
Sync with Anchain; Response team briefing
2022-01-18
1
Response team internal discussions and planning
2022-01-19
1.5
Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; 
2022-01-19
0.25
Secureworks initial engagement
2022-01-19
0.5
Response team briefing
2022-01-19
1
MyContainer incident review, analysis, and discussion
2022-01-19
1.5
Engagement with private investigators and preliminary exchange of information
2022-01-20
3
Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims 
2022-01-20
1
Response team briefing
2022-01-20
0.5
Sync with Sukanta and internal discussions
2022-01-20
0.25
Secureworks second and final engagement (not to proceed)
2022-01-21
0.5
VueJS injection vulnerability experimentation
2022-01-21
0.5
Private investigator initial briefing and preliminary assignment of work
2022-01-21
0.5
Response team briefing
2022-01-23
0.5
Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53
2022-01-23
0.5
Analysis of new victim profiles and priorities (unassigned code names)
2022-01-24
0.5
Response team briefing
2022-01-24
0.5
Discussion Matthew for extension wallet code analysis
2022-01-25
0.5
Victim interview and Q&A call (BL)
2022-01-25
0.5
Response team briefing
2022-01-26
1
Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report
2022-01-27
0.5
Response team briefing
2022-01-27
0.5
Coalfire initial engagement and scope discussion
2022-01-27
0.5
Onboarding Matthew for extension wallet vulnerability investigation
2022-01-28
0.5
Victim interview and Q&A call (DD)
2022-01-28
0.5
Response team briefing
2022-01-28
1
Sync with Silent Auth
2022-01-29
1.5
Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident
2022-01-29
1
New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration)
2022-01-30
3
New victim browser history analysis (BL, DD) and manual inspection of all common sites
2022-01-30
1.5
Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge
2022-01-30
0.5
Initial engagement with Merkle Science
2022-01-30
0.5
Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories
2022-01-31
0.5
Response team briefing
2022-01-31
0.5
2022-02-01
1
Receivng updates from AnChain and discussions of issues and next steps
2022-02-01
2.5
1wallet, project document: Use Ethereum NFT on Harmony as Avatar
2022-02-02
1.5
(Continued)
2022-02-02
1.5
Review and experimentation of Matthew's vulnerability report #1
2022-02-02
0.5
Revision on "Use Ethereum NFT on Harmony as Avatar"
2022-02-03
1
Sync with Coalfire
2022-02-04
0.5
Response team briefing
2022-02-04
1.5
Finalization of "Use Ethereum NFT on Harmony as Avatar"
2022-02-06
1
Theft case investigation (lead from Binance related activities)
2022-02-06
0.5
Malware investigation
2022-02-07
1
Anchain finding presentation and discussions
2022-02-08
1
Malware analysis and risk review
2022-02-08
1
Silent Auth proposal evaluation and feedback
2022-02-08
1
Onboarding Michael M and discussions
2022-02-09
1.5
Response team briefing; Investigation on new victim (GU); Emergency response
2022-02-10
0.5
Response team briefing
2022-02-11
0.5
Response team briefing
2022-02-11
1.5
Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis
2022-02-11
0.5
Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis
2022-02-14
0.5
Sync with private investigator regarding suspect
2022-02-15
0.5
Evaluation of Project X leads
2022-02-16
1
Sync with Merkle Science on Tornado Cash findings
2022-02-16
0.5
Response team briefing
2022-02-16
1
Evaluation of Project X leads (Xoogler Demo Day projects)
2022-02-17
1
Project X deal sourcing (Xoogler meetup)
2022-02-17
1
Evaluation of Project X prospect DSCAPE, meeting, and internal discussion
2022-02-18
0.5
Evaluation of Project X leads
2022-02-18
1.5
Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren
2022-02-18
1
Joint evaluation of Project X prospect C14
2022-02-18
1
Sync with FBI (with Merkle Science)
2022-02-19
1.5
Preparation and joint evaluation of Project X prospect Protego
2022-02-19
1.5
Joint evaluation of Project X prospect Deepwaters
2022-02-19
1.5
Project X deal sourcing (Xoogler meetup #2)
2022-02-20
1.5
Joint evaluation of Project X prospect HOPR
2022-02-20
2
Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy
2022-02-20
1.5
Joint evaluation of HexaTorch
2022-02-20
1
Research and offline evaluation on Project X prospect Cytus
2022-02-21
2.5
Diligence meeting with Project X investee C14; Research and diligence on C14 thesis
2022-02-21
1
Research and technical diligence on Project X investee Deepwaters
2022-02-22
2
(Continued)
2022-02-22
1
Silent Auth detailed proposal additional feedback and questions
2022-02-22
1
Diligence meeting with Deepwaters
2022-02-22
0.5
Statement of Work clarification meeting with Coalfire